skylos 2.2.3__py3-none-any.whl → 2.4.0__py3-none-any.whl

skylos/rules/secrets.py

@@ -22,7 +22,15 @@ GENERIC_VALUE = re.compile(r"""(?ix)
     (?:
       (token|api[_-]?key|secret|password|passwd|pwd|bearer|auth[_-]?token|access[_-]?token)
       \s*[:=]\s*(?P<q>['"])(?P<val>[^'"]{16,})(?P=q)
-    )|(?P<bare>[A-Za-z0-9_\-]{24,})
+    )
+    |
+    (?P<bare>
+      (?=[A-Za-z0-9_-]{32,}\b)
+      (?=.*[A-Z])
+      (?=.*[a-z])
+      (?=.*\d)
+      [A-Za-z0-9_-]+
+    )
 """)
 
 SAFE_TEST_HINTS = {
@@ -30,8 +38,12 @@ SAFE_TEST_HINTS = {
     "changeme", "password", "secret", "not_a_real", "do_not_use",
 }
 
+_IDENTIFIER = re.compile(r"^[A-Za-z_][A-Za-z0-9_]*$")
+
 IGNORE_DIRECTIVE = "skylos: ignore[SKY-S101]"
-DEFAULT_MIN_ENTROPY = 3.6
+DEFAULT_MIN_ENTROPY = 3.9
+
+IS_TEST_PATH = re.compile(r"(^|/)(tests?(/|$)|test_[^/]+\.py$)")
 
 def _entropy(s):
     if len(s) == 0:
@@ -64,6 +76,9 @@ def _mask(tok):
         last_part = tok[-4:]
         return first_part + "…" + last_part
 
+def _looks_like_identifier(s):
+    return bool(_IDENTIFIER.fullmatch(s))
+
 def _docstring_lines(tree):
     if tree is None:
         return set()
@@ -107,12 +122,15 @@ def _docstring_lines(tree):
     return docstring_line_numbers
 
 def scan_ctx(ctx, *, min_entropy= DEFAULT_MIN_ENTROPY, scan_comments= True,
-              scan_docstrings= True, allowlist_patterns= None, ignore_path_substrings= None):
+              scan_docstrings= True, allowlist_patterns= None, ignore_path_substrings= None, ignore_tests=True):
     
     rel_path = ctx.get("relpath", "")
     if not rel_path.endswith(ALLOWED_FILE_SUFFIXES):
         return []
     
+    if ignore_tests and IS_TEST_PATH.search(rel_path.replace("\\", "/")):
+        return []
+    
     if ignore_path_substrings:
         for substring in ignore_path_substrings:
             if substring and substring in rel_path:
@@ -220,22 +238,33 @@ def scan_ctx(ctx, *, min_entropy= DEFAULT_MIN_ENTROPY, scan_comments= True,
                         "entropy": round(tok_entropy, 2),
                     }
                     findings.append(aws_finding)
-        
-        generic_match = GENERIC_VALUE.search(line_content)
+
+        in_tests = bool(IS_TEST_PATH.search(rel_path.replace("\\", "/")))
+
+        if in_tests:
+            generic_match = None
+        else:
+            generic_match= GENERIC_VALUE.search(line_content)
+
         if generic_match:
             val_group = generic_match.group("val")
             bare_group = generic_match.group("bare")
             
+            is_bare = False
             if val_group:
                 extracted_token = val_group
             elif bare_group:
                 extracted_token = bare_group
+                is_bare = True
             else:
                 extracted_token = ""
             
             clean_token = extracted_token.strip()
             
             if clean_token:
+                if is_bare and _looks_like_identifier(clean_token):
+                    continue
+                
                 token_lowercase = clean_token.lower()
                 has_safe_hint = False
                 

{skylos-2.2.3.dist-info → skylos-2.4.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skylos
-Version: 2.2.3
+Version: 2.4.0
 Summary: A static analysis tool for Python codebases
 Author-email: oha <aaronoh2015@gmail.com>
 Requires-Python: >=3.9

{skylos-2.2.3.dist-info → skylos-2.4.0.dist-info}/RECORD

@@ -1,12 +1,25 @@
-skylos/__init__.py,sha256=cFxP_uUY-acB9iRs7SE3ccyWiX6v8mI-mJo9bfhC2aU,229
-skylos/analyzer.py,sha256=G_8pw7GmChATc5h5XXij2pcHirhh_5G9Y8dlAC1dx38,16735
-skylos/cli.py,sha256=DOV6nwPbi5zh-OJ3wXjIaPxCfXRtiPMNqo9Zp2nvDBA,19475
+skylos/__init__.py,sha256=lFWlWOwKfByIoAoQkdpcEMF5UisQQuVzdtSNPApOoXI,229
+skylos/analyzer.py,sha256=nwf1pDsXaEhrLm6AkQgaJObVgp8YPP9UzU2NzZ2088o,18791
+skylos/cli.py,sha256=372vGiWC4Z4ZDQbP-P4PYRaEokv8xS9-ko152ejfqcE,25970
 skylos/codemods.py,sha256=-1ehjFLc1MmtK3inoSZF_RyBNWF7XZSOq2KH5_MDzuA,9519
 skylos/constants.py,sha256=kU-2FKQAV-ju4rYw62Tw25uRvqauzjZFUqtvGWaI6Es,1571
 skylos/server.py,sha256=oHuevjdDFvJVbvpTtCDjSLOJ6Zy1jL4BYLYV4VFNMXs,15903
 skylos/visitor.py,sha256=o_2JxjXKXAcWLQr8nmoatGAz2EhBk225qE_piHf3hDg,20458
 skylos/rules/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-skylos/rules/secrets.py,sha256=_cvi-NETScQWMPexb8R2_QtgTRMQGbb09BT1Os246DA,9370
+skylos/rules/secrets.py,sha256=xZOKJwfeyx2el-HlGjTflc50XtjUL7R-8mLOJUkwf30,10092
+skylos/rules/danger/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger.py,sha256=oTG_dK-CAqV4X4DP_AOzKPsOzmYbtgq0pfq0aILmxik,4398
+skylos/rules/danger/danger_cmd/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger_cmd/cmd_flow.py,sha256=b2VOkZ1Lt5ht5AreQrzqcu19BrR8N8xWjYeMqwtRJr8,6675
+skylos/rules/danger/danger_fs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger_fs/path_flow.py,sha256=bhs1HHrxsHVilvQG6-PsZIJ7GpF20Yj7pcavPXFKq2g,5627
+skylos/rules/danger/danger_net/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger_net/ssrf_flow.py,sha256=jyLmMDq7WlCqB2t3O1bKyrOmrr9yAqhEUjytek1Ymbg,5937
+skylos/rules/danger/danger_sql/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger_sql/sql_flow.py,sha256=00QpJTgdwE6lGuiv416o3MW54MkioiMzSlI5jNsYCK4,5212
+skylos/rules/danger/danger_sql/sql_raw_flow.py,sha256=7pYidj8_KCu9UkpHUyFoiDch3Hjc0CHEhTBM-bRXlew,6504
+skylos/rules/danger/danger_web/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+skylos/rules/danger/danger_web/xss_flow.py,sha256=9cK65470f8ulK0aNa8pRFsH3p-7gpenMJvExbJqmjG8,8991
 skylos/visitors/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 skylos/visitors/framework_aware.py,sha256=eX4oU0jQwDWejkkW4kjRNctre27sVLHK1CTDDiqPqRw,13054
 skylos/visitors/test_aware.py,sha256=kxYoMG2m02kbMlxtFOM-MWJO8qqxHviP9HgAMbKRfvU,2304
@@ -17,13 +30,18 @@ test/diagnostics.py,sha256=ExuFOCVpc9BDwNYapU96vj9RXLqxji32Sv6wVF4nJYU,13802
 test/test_analyzer.py,sha256=WhEYSI1atRee2Gqd9-Edw6F-tdRS9DBqS0D0aqK6MKc,21093
 test/test_changes_analyzer.py,sha256=l1hspCFz-sF8gqOilJvntUDuGckwhYsVtzvSRB13ZWw,5085
 test/test_cli.py,sha256=rtdKzanDRJT_F92jKkCQFdhvlfwVJxfXKO8Hrbn-mIg,13180
+test/test_cmd_injection.py,sha256=sG5Ryq18kPKhawB4ZxbGYeXPcCHagFTcWultNoX9XxY,1160
 test/test_codemods.py,sha256=Tbp9jE95HDl77EenTmyTtB1Sc3L8fwY9xiMNVDN5lxo,4522
 test/test_constants.py,sha256=pMuDy0UpC81zENMDCeK6Bqmm3BR_HHZQSlMG-9TgOm0,12602
+test/test_dangerous.py,sha256=aaksXFYrNb0gSCdbrYmL77EMmQC6F395NKzUmV8opYA,3427
 test/test_framework_aware.py,sha256=G9va1dEQ31wsvd4X7ROf_1YhhAQG5CogB7v0hYCojQ8,8802
 test/test_integration.py,sha256=bNKGUe-w0xEZEdnoQNHbssvKMGs9u9fmFQTOz1lX9_k,12398
 test/test_new_behaviours.py,sha256=vAON8rR09RXawZT1knYtZHseyRcECKz5bdOspJoMjUA,1472
-test/test_secrets.py,sha256=rjC-iQD9s8U296PyHP0vMEjC6CC9mJwKiFj7Sm-xsuo,5711
+test/test_path_traversal.py,sha256=CI49yJwLqHIHwqrPkJwjEBz7pY7dy5B8A62H8qu_YGk,1098
+test/test_secrets.py,sha256=cxbe8zH6lv5aKgazCW01q-mX5F2dRsiH6N2lDXb7ueY,6010
 test/test_skylos.py,sha256=kz77STrS4k3Eez5RDYwGxOg2WH3e7zNZPUYEaTLbGTs,15608
+test/test_sql_injection.py,sha256=BvwGTKgshFWWF8on1Qoa2_wKKgF5noBfpq-dtnx6DsM,1634
+test/test_ssrf.py,sha256=ob3D36o_Me0TjOcVeFUwHBAVERbsgdBqtuW6F2smgGM,1445
 test/test_test_aware.py,sha256=VmbR_MQY0m941CAxxux8OxJHIr7l8crfWRouSeBMhIo,9390
 test/test_visitor.py,sha256=xAbGv-XaozKm_0WJJhr0hMb6mLaJcbPz57G9-SWkxFU,22764
 test/sample_repo/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -33,8 +51,8 @@ test/sample_repo/sample_repo/commands.py,sha256=b6gQ9YDabt2yyfqGbOpLo0osF7wya8O4
 test/sample_repo/sample_repo/models.py,sha256=xXIg3pToEZwKuUCmKX2vTlCF_VeFA0yZlvlBVPIy5Qw,3320
 test/sample_repo/sample_repo/routes.py,sha256=8yITrt55BwS01G7nWdESdx8LuxmReqop1zrGUKPeLi8,2475
 test/sample_repo/sample_repo/utils.py,sha256=S56hEYh8wkzwsD260MvQcmUFOkw2EjFU27nMLFE6G2k,1103
-skylos-2.2.3.dist-info/METADATA,sha256=ug19tHc6winuwwnlmWqv87j18KfrnAKs14KvFRA-ivo,314
-skylos-2.2.3.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-skylos-2.2.3.dist-info/entry_points.txt,sha256=zzRpN2ByznlQoLeuLolS_TFNYSQxUGBL1EXQsAd6bIA,43
-skylos-2.2.3.dist-info/top_level.txt,sha256=f8GA_7KwfaEopPMP8-EXDQXaqd4IbsOQPakZy01LkdQ,12
-skylos-2.2.3.dist-info/RECORD,,
+skylos-2.4.0.dist-info/METADATA,sha256=_zgyV0RiF1UQMnVYxfWzNzW5fa-vt3y1kNIu0xD32eU,314
+skylos-2.4.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+skylos-2.4.0.dist-info/entry_points.txt,sha256=zzRpN2ByznlQoLeuLolS_TFNYSQxUGBL1EXQsAd6bIA,43
+skylos-2.4.0.dist-info/top_level.txt,sha256=f8GA_7KwfaEopPMP8-EXDQXaqd4IbsOQPakZy01LkdQ,12
+skylos-2.4.0.dist-info/RECORD,,

test/test_cmd_injection.py

@@ -0,0 +1,41 @@
+from pathlib import Path
+from skylos.rules.danger import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    return {f["rule_id"] for f in findings}
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_os_system_tainted_flags(tmp_path):
+    code = (
+        "import os\n"
+        "def f(x):\n"
+        "    os.system('echo ' + x)\n"
+    )
+    out = _scan_one(tmp_path, "cmd_os.py", code)
+    assert 'SKY-D212' in _rule_ids(out)
+
+def test_subprocess_shell_true_tainted_flags(tmp_path):
+    code = (
+        "import subprocess\n"
+        "def f(cmd):\n"
+        "    subprocess.run('sh -c ' + cmd, shell=True)\n"
+    )
+    out = _scan_one(tmp_path, "cmd_subp.py", code)
+    assert 'SKY-D212' in _rule_ids(out)
+
+def test_os_system_constant_does_not_trigger_D212(tmp_path):
+    code = (
+        "import os\n"
+        "def f():\n"
+        "    os.system('echo hi')\n"
+    )
+    out = _scan_one(tmp_path, "cmd_const.py", code)
+    assert 'SKY-D212' not in _rule_ids(out)

test/test_dangerous.py

@@ -0,0 +1,101 @@
+from pathlib import Path
+from skylos.rules.danger import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    rule_ids = set()
+    for f in findings:
+        rule_ids.add(f["rule_id"])
+    return rule_ids
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_eval(tmp_path):
+    out = _scan_one(tmp_path, "a_eval.py", 'eval("1+1")\n')
+    assert "SKY-D201" in _rule_ids(out)
+
+def test_exec(tmp_path):
+    out = _scan_one(tmp_path, "a_exec.py", 'exec("print(1)")\n')
+    assert "SKY-D202" in _rule_ids(out)
+
+def test_os_system(tmp_path):
+    out = _scan_one(tmp_path, "a_os.py", "import os\nos.system('echo hi')\n")
+    assert "SKY-D203" in _rule_ids(out)
+
+def test_pickle_loads(tmp_path):
+    out = _scan_one(tmp_path, "a_pickle.py", "import pickle\npickle.loads(b'\\x80\\x04K\\x01.')\n")
+    assert "SKY-D205" in _rule_ids(out)
+
+def test_yaml_load_without_safeloader(tmp_path):
+    out = _scan_one(tmp_path, "a_yaml.py", "import yaml\nyaml.load('a: 1')\n")
+    assert "SKY-D206" in _rule_ids(out)
+
+def test_md5_sha1(tmp_path):
+    out = _scan_one(tmp_path, "a_hashes.py", "import hashlib\nhashlib.md5(b'd')\nhashlib.sha1(b'd')\n")
+    ids = _rule_ids(out)
+    assert "SKY-D207" in ids
+    assert "SKY-D208" in ids
+
+def test_subprocess_shell_true(tmp_path):
+    out = _scan_one(tmp_path, "a_subproc.py", "import subprocess\nsubprocess.run('echo hi', shell=True)\n")
+    assert "SKY-D209" in _rule_ids(out)
+
+def test_requests_verify_false(tmp_path):
+    out = _scan_one(tmp_path, "a_requests.py", "import requests\nrequests.get('https://x', verify=False)\n")
+    assert "SKY-D210" in _rule_ids(out)
+
+def test_yaml_safe_loader_does_not_trigger(tmp_path):
+    code = (
+        "import yaml\n"
+        "from yaml import SafeLoader\n"
+        "yaml.load('a: 1', Loader=SafeLoader)\n"
+    )
+    out = _scan_one(tmp_path, "b_yaml_safe.py", code)
+    assert "SKY-D206" not in _rule_ids(out)
+
+def test_subprocess_without_shell_true_is_ok(tmp_path):
+    code = "import subprocess\nsubprocess.run(['echo','hi'])\n"
+    out = _scan_one(tmp_path, "b_subproc_ok.py", code)
+    assert "SKY-D209" not in _rule_ids(out)
+
+def test_requests_default_verify_true_is_ok(tmp_path):
+    code = "import requests\nrequests.get('https://example.com')\n"
+    out = _scan_one(tmp_path, "b_requests_ok.py", code)
+    assert "SKY-D210" not in _rule_ids(out)
+
+def test_sql_execute_interpolated_flags(tmp_path):
+    code = """
+def f(cur, name):
+    # f-string interpolation -> should flag SKY-D211
+    cur.execute(f"SELECT * FROM users WHERE name = '{name}'")
+"""
+    out = _scan_one(tmp_path, "sql_interp.py", code)
+    assert "SKY-D211" in _rule_ids(out)
+
+
+def test_sql_execute_parameterized_ok(tmp_path):
+    code = """
+def f(cur, name):
+    cur.execute("SELECT * FROM users WHERE name = %s", (name,))
+"""
+    out = _scan_one(tmp_path, "sql_param_ok.py", code)
+    assert "SKY-D211" not in _rule_ids(out)
+
+
+def test_sql_executescript_or_executemany_interpolated_flags(tmp_path):
+    code = """
+def g(cur, tbl):
+    cur.executescript("CREATE TABLE " + tbl)
+
+def h(cur, values):
+    cur.executemany("INSERT INTO t (a,b) VALUES (" + values + ")", [])
+"""
+    out = _scan_one(tmp_path, "sql_execscripts.py", code)
+    ids = _rule_ids(out)
+    assert "SKY-D211" in ids

test/test_path_traversal.py

@@ -0,0 +1,40 @@
+from pathlib import Path
+from skylos.rules.danger import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    return {f["rule_id"] for f in findings}
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_open_tainted_flags(tmp_path):
+    code = (
+        "def f(p):\n"
+        "    with open(p, 'r', encoding='utf-8', errors='ignore') as fh:\n"
+        "        fh.read()\n"
+    )
+    out = _scan_one(tmp_path, "pt_open.py", code)
+    assert 'SKY-D215' in _rule_ids(out)
+
+def test_os_remove_tainted_flags(tmp_path):
+    code = (
+        "import os\n"
+        "def f(p):\n"
+        "    os.remove(p)\n"
+    )
+    out = _scan_one(tmp_path, "pt_os.py", code)
+    assert 'SKY-D215' in _rule_ids(out)
+
+def test_open_constant_ok(tmp_path):
+    code = (
+        "def f():\n"
+        "    open('README.md', 'r')\n"
+    )
+    out = _scan_one(tmp_path, "pt_ok.py", code)
+    assert 'SKY-D215' not in _rule_ids(out)

test/test_secrets.py

@@ -77,16 +77,6 @@ def test_aws_secret_access_key_special_case():
     assert "entropy" in hit and isinstance(hit["entropy"], float)
     assert ELLIPSIS in hit["preview"]
 
-
-def test_generic_entropy_detection_and_threshold():
-    src = 'X = "o2uV7Ew1kZ9Q3nR8sT5yU6pX4cJ2mL7a"\n'
-    findings = list(scan_ctx(_ctx_from_source(src)))
-    assert any(f["provider"] == "generic" for f in findings)
-
-    findings_high_thr = list(scan_ctx(_ctx_from_source(src), min_entropy=8.0))
-    assert not any(f["provider"] == "generic" for f in findings_high_thr)
-
-
 def test_ignore_directive_suppresses_matches():
     src = 'GITHUB_TOKEN = "ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"  # skylos: ignore[SKY-S101]\n'
     findings = list(scan_ctx(_ctx_from_source(src)))
@@ -177,3 +167,27 @@ def test_safe_hints_suppress_detection():
     safe_line = 'EXAMPLE_TOKEN = "sk_test_this_is_example_value_not_real_123456"\n'
     out = list(scan_ctx(_ctx_from_source(safe_line)))
     assert out == []
+
+def test_generic_is_suppressed_in_test_paths():
+    src = 'X = "o2uV7Ew1kZ9Q3nR8sT5yU6pX4cJ2mL7a"\n'
+    findings = list(scan_ctx(_ctx_from_source(src, rel="tests/unit/test_secrets.py")))
+    
+    generic_findings = []
+    for f in findings:
+        if f["provider"] == "generic":
+            generic_findings.append(f)
+    
+    assert len(generic_findings) == 0
+
+def test_normal_strings_ignored():
+    src = 'X = "config_path"\n'
+    ctx = _ctx_from_source(src)
+    findings = list(scan_ctx(ctx))
+    
+    generic_findings = []
+    for f in findings:
+        if f["provider"] == "generic":
+            generic_findings.append(f)
+    
+    assert len(generic_findings) == 0
+

test/test_sql_injection.py

@@ -0,0 +1,54 @@
+from pathlib import Path
+from skylos.rules.danger import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    return {f["rule_id"] for f in findings}
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_sqlalchemy_text_tainted_flags(tmp_path):
+    code = (
+        "import sqlalchemy as sa\n"
+        "def f(ip):\n"
+        "    sa.text('DELETE FROM logs WHERE ip=' + ip)\n"
+    )
+    out = _scan_one(tmp_path, "raw_sa.py", code)
+    assert 'SKY-D217' in _rule_ids(out)
+
+def test_pandas_read_sql_tainted_flags(tmp_path):
+    code = (
+        "import pandas as pd\n"
+        "def f(conn, name):\n"
+        "    pd.read_sql(f\"SELECT * FROM users WHERE name='{name}'\", conn)\n"
+    )
+    out = _scan_one(tmp_path, "raw_pd.py", code)
+    assert 'SKY-D217' in _rule_ids(out)
+
+def test_django_objects_raw_tainted_flags(tmp_path):
+    code = (
+        "class _O:\n"
+        "    def raw(self, *a, **k):\n"
+        "        return []\n"
+        "class User:\n"
+        "    objects = _O()\n"
+        "def f(u):\n"
+        "    User.objects.raw('SELECT * FROM auth_user WHERE username=' + u)\n"
+    )
+    out = _scan_one(tmp_path, "raw_dj.py", code)
+    assert 'SKY-D217' in _rule_ids(out)
+
+def test_raw_constant_ok(tmp_path):
+    code = (
+        "import pandas as pd\n"
+        "def f(conn):\n"
+        "    pd.read_sql('SELECT 1 AS x', conn)\n"
+    )
+    out = _scan_one(tmp_path, "raw_ok.py", code)
+    assert 'SKY-D217' not in _rule_ids(out)

test/test_ssrf.py

@@ -0,0 +1,51 @@
+from pathlib import Path
+from skylos.rules.danger import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    return {f["rule_id"] for f in findings}
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_requests_tainted_url_flags(tmp_path):
+    code = (
+        "import requests\n"
+        "def f():\n"
+        "    u = input()\n"
+        "    requests.get(u)\n"
+    )
+    out = _scan_one(tmp_path, "ssrf_req.py", code)
+    assert 'SKY-D216' in _rule_ids(out)
+
+def test_httpx_tainted_url_flags(tmp_path):
+    code = (
+        "import httpx\n"
+        "def f(url):\n"
+        "    httpx.post('http://' + url)\n"
+    )
+    out = _scan_one(tmp_path, "ssrf_httpx.py", code)
+    assert 'SKY-D216' in _rule_ids(out)
+
+def test_urllib_urlopen_tainted_url_flags(tmp_path):
+    code = (
+        "import urllib.request as u\n"
+        "def f(x):\n"
+        "    u.urlopen(f'http://{x}')\n"
+    )
+    out = _scan_one(tmp_path, "ssrf_urlopen.py", code)
+    assert 'SKY-D216' in _rule_ids(out)
+
+def test_requests_constant_url_ok(tmp_path):
+    code = (
+        "import requests\n"
+        "def f():\n"
+        "    requests.get('https://example.com', timeout=3)\n"
+    )
+    out = _scan_one(tmp_path, "ssrf_ok.py", code)
+    assert 'SKY-D216' not in _rule_ids(out)